Quantum key distribution based on orthogonal states allows secure quantum bit 

commitment 
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For more than a decade, it was believed that unconditionally secure quantum bit commitment 
(QBC) is impossible. But basing on a previously proposed quantum key distribution scheme using 
orthogonal states, here we build a QBC protocol in which the density matrices of the quantum states 
encoding the commitment do not satisfy a crucial condition on which the no-go proofs of QBC are 
based. Thus the no-go proofs could be evaded. Our protocol is fault-tolerant and very feasible with 
currently available technology. It reopens the venue for other "post-cold-war" multi-party crypto- 
graphic protocols, e.g., quantum bit string commitment and quantum strong coin tossing with an 
arbitrarily small bias. This result also has a strong influence on the Clifton-Bub-Halvorson theo- 
rem which suggests that quantum theory could be characterized in terms of information-theoretic 
constraints. 
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I. INTRODUCTION 

Quantum bit commitment (QBC) is an essential prim- 
itive for quantum cryptography. It is the building 
block for quantum multi-party secure computations and 
more complicated "post-cold-war era" multi-party cryp- 
tographic protocols (HQ- The first QBC protocol was 
proposed along with the very first proposal for quantum 
key distribution (QKD), i.e., the Bennett-Brassard (BB) 
84 protocol 0. But it was pointed out at the same 
time that the protocol is insecure against coherent at- 
tacks. An improved one was proposed later, known as 
the Brassard-Crepeau-Jozsa-Langlois (BCJL) 93 proto- 
col Q. It was accepted as secure for a while until a 
cheating strategy was found in 1996 Q. Shortly after, 
it was further concluded that any QBC protocol can- 
not be unconditionally secure in principle This 
result was called the Mayers-Lo-Chau (MLC) no-go the- 
orem. It was considered as putting a serious drawback 
on quantum cryptography. Though the result is widely 
accepted nowadays, there is also doubt on the general- 
ity of the theoretical model of QBC used in the no-go 
proof, as it seems unconvincing that limited mathemat- 
ical formulation can characterize all possible protocols 
@. New protocols attempting to evade the no-go theo- 
rem were proposed every now and then [Toj|- f2p|| , though 
most of them turned out to be unsuccessful [29j, |30( or 
at least failed to gain a wide recognition. Nevertheless, 
these attempts stimulated the research on proving the 
no-go theorem in more rigorous forms. Refs. [3ll435l | re- 
viewed the original no-go proof with fuller explanations, 
with some simple examples of insecure protocols given 
in HH M 



Ref. 



also extended the proof to cover 
ideal quantum coin tossing. More complicated examples 
on how to apply the no-go proof to break some quantum 
as well as classical bit commitment (BC) protocols which 



looked promising at that time were provided in [36| and 
respectively. Refs. (38rf4fj| further studied the se- 
curity bounds of QBC quantitatively, with [39| focused 
on the protocol in Q. Refs. [4l|, |42j worked on a similar 
direction, while focused especially on the class of pro- 
tocols in .10] -|l4j. Later on, a very detail ed p roof was 
presented both in the Heisenberg picture [43[ and the 
Schrodinger picture [44|, with the intention to achieve 
a more rigorous bound on the concealment-bindingness 
tradeoff that can apply to all conceivable QBC protocols 
in which both classical and quantum information are ex- 
changed, including [l(| [l8l - l20l . l22j . It was also shown 
that the no-go theorem remains valid in a world subject 
to superselection rules I4^I447|| . or for QBC associated 
with secret parameters [48l . l49j , or when the participants 
are restricted to use Gaussian states and operations only 
[50} . Recent efforts also include [HI, [H[ , which proved 
the no-go theorem with alternative methods. 

As the no-go theorem became well-accepted, people 
started to discuss the possibility of building BC under 
various security conditions, e.g., classical BC under rel- 
ativistic settings [H, H3_or tamper- evident seals [55$ . 
quantum relativistic BC [56l , computationally secure 
QBC [58146 lj . There are also QBC under experimental 
limitations, such as individual measurements |62l |63j or 
limited coherent measurements 64| , misaligned reference 
frames [(35| , limited or noisy quantum storage [66Tj7l| , un- 
stability of particles 172, |73|, Gaussian operations with 
non-Gaussian states [74|], etc. (75rl78j . Some even con- 
sidered BC in post-quantum theories 
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proposed less secure QBC [H, H3 ; variations of the defi- 
nition of QBC, e.g., cheat-sensitiv e Q BC [85l488| . condi- 
tionally secure QBC (89j . etc. (90T - [93f - 

In this paper we still focus on the original QBC with- 
out these conditions. Basin g on an existing QKD scheme 
using orthogonal states [941.I951] , we show that it becomes 
possible to build a QBC protocol, to which the no-go 
proofs do not apply. This protocol enables many other 
cryptographies, and is readily implementable with cur- 
rently available technology. We also address the relation- 
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ship between this finding and the Clifton-Bub-Halvorson 
(CBH) theorem [9a ] which tries to characterize quantum 
theory in terms of information-theoretic constraints. 

QKD provides an unconditionally secure method for 
two remote participants to transmit secret information 
against any eavesdropper. Most existing QKD schemes 
(e.g., [!, [15, 98]) use nonorthogonal states as carriers for 
the transmitted information. Since quantum mechanics 
guarantees that nonorthogonal states cannot be faithfully 
cloned, any eavesdropping will inevitably introduce de- 
tectable disturbance on the states. Thus the eavesdrop- 
per will be caught once he gains a non-trivial amount of 
information. For this reason, it was once believed that 
nonorthogonal states are necessary for secure QKD. But 
Goldenberg and Vaidman managed to present a scheme 
based on orthogonal states [94| . This brilliant idea opens 
yet another path for adopting more bizarre properties of 
quantum mechanics for cryptography. We will use it as 
the base of our current work. 

Generally, in both QKD and QBC the two participants 
are called Alice and Bob. But in our current proposal 
of QBC, the actions of Bob is more similar to that of 
the eavesdropper rather than the Bob in QKD. To avoid 
confusion, in this paper we use the names in the following 
way. In QKD, the sender of the secret information is 
called Alice, the receiver is renamed as Charlie instead 
of Bob, and the external eavesdropper is called Eve. In 
QBC, the sender of the commitment is Alice, the receiver 
is Bob, and there is no Eve since QBC merely deals with 
the cheating from internal dishonest participants, instead 
of external eavesdropping. 

II. QKD SCHEME BASED ON ORTHOGONAL 
STATES 

The QKD scheme proposed in 94] is outlined below. 
Consider the ideal case where no transmission error oc- 
curs in the communication channels. Alice encodes the 
bit values and 1 she wants to transmit to Charlie, re- 
spectively, using two orthogonal states 

-> |* ) = (\a) + \b))/V2, 

1 |*0 = (|o) - \b))/V2. (1) 

Here \a) and \b) are the localized wave packets of the same 
qubit. When sending these states to Charlie, two details 
are important for the security of the scheme. First, \a) 
and | b) are not sent simultaneously, but separated by a 
fixed delay time r. The value of r should ensure that \a) 
reached Charlie's site before \b) leaves Alice's site (for 
simplicity, we do not study the case where r is further 
reduced, even though it may not hurt the security), so 
that the two wave packets are never present together in 
the transmission channels. Second, the sending time of 
each |*q) and |*i) is random, and kept secret from Eve 
until | a) already arrived. 

FIG. 1 illustrated the diagram for an experimental im- 
plementation of the scheme using Mach-Zehnder interfer- 



ometer. Alice prepares |*o) (|*i)) by sending a single 
photon from the source So (Si), and then splits it into \a) 
and | b) using the beam splitter BS\. \a) is sent directly 
to Charlie while \b) is delayed by the storage ring Si?i 
before sending. At Charlie's site, \a) is delayed by the 
storage ring Si?2 and then meets \b) at the beam split- 
ter BS2 and interferes. The delay times caused by SRi 
and Si?2 are tuned equal. Thus the complete apparatus 
of Alice's and Charlie's forms a balanced Mach-Zehnder 
interferometer, so that |*q) (|*i)) will always make the 
detector D {D\) click when no eavesdropping occurs, al- 
lowing Charlie to decode the transmitted bit value. Alice 
sends Charlie a series of |*o) and |*i), then announces 
all the sending times and some of the encoded bits for 
security check. If all announced results match with Char- 
lie's measurement, the two parties keep the unannounced 
encoded bits as the secret key. It was shown that the 
scheme is unconditionally secure [H], |95| , since Eve can 
never access to the entire states |*o) and |*i), unless 
she intercepts and delays \a). But then she needs to send 
Charlie a "dummy" state in advance to escape the de- 
tection. However, without knowing Alice's sending time 
beforehand, Eve can hardly send the dummy state at the 
proper time. Thus eavesdropping will be revealed once 
Alice does not send any state while Charlie's detectors 
click after time r. 



III. OUR QBC PROTOCOL 

QBC is a two-party cryptography including two 
phases. In the commit phase, Alice (the sender of the 
commitment) decides the value of the bit b (b = or 1) 
which she wants to commit, and sends Bob (the receiver 
of the commitment) a piece of evidence, e.g., some quan- 
tum states. Later, in the unveil phase, Alice announces 
the value of b, and Bob checks it with the evidence. An 
unconditionally secure QBC protocol needs to be both 
binding (i.e., Alice cannot change the value of b after the 
commit phase) and concealing (Bob cannot know b before 
the unveil phase) without relying on any computational 
assumption. 

To make use of the QKD scheme in 94] for QBC, our 
starting point is to treat Charlie's site as a part of Alice's, 
so that the two parties merge into one. That is, Alice 
sends out a bit-string encoded with the above orthogo- 
nal states, whose value is related with the bit she wants 
to commit. Then she receives the states herself. Mean- 
while, let Bob take the role of Eve. His action shifts 
between two modes. In the intercept mode, he applies 
the intercept-resend attack to read parts of the string. 
In the bypass mode, he simply does nothing so that the 
corresponding parts of the states return to Alice intact. 
Since the eavesdropping on every single bit of the string 
has a non-trivial probability to escape Alice's detection, 
at the end of the process some bits of the string become 
known to Bob, while Alice does not know the exact po- 
sition of these bits. Thus she cannot alter the bit-string 
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FIG. 1: Diagram of the experimental implementation of the QKD scheme based on orthogonal states [94| . The state of a 
photon produced by the source So (Si) will become |* ) = (|o) + |&))/V2 (|^i) = (|a) - \b))/V2) after passing the beam 
splitter BSi. The wave packets |o) and [&) are sent through channels A and B respectively. When no eavesdropper is present, 
the storage rings SRi, SR2 and the mirrors Mi, M2 will ensure the complete apparatus work as a Mach-Zehnder interferometer 
with balanced arms, so that |^o} and will be detected by the detectors Do and Di, respectively. 



freely at a later time, making the protocol binding. On 
the other hand, Bob cannot eavesdrop the whole string 
without being detected. Thus the value of the commit- 
ted bit can be made concealing by putting a limit on the 
error rate Bob allowed to make in the protocol. 

The rigorous description of our QBC protocol is as 
follows. 

The commit protocol: 

(1) Bob chooses a binary linear (n, k, <i)-code C and 
announces it to Alice, where n, k, d and another param- 
eter s (s ^> n > k > d) are agreed on by both Alice and 
Bob. 

(2) Alice chooses a nonzero random n-bit string r = 
(rir2--.r n ) £ {0,1}" and announces it to Bob. This 
makes any n-bit codeword c = (ciC2...c„) in C sorted 
into either of the two subsets CVq) = {c £ C\c r = 0} 

n 

and = {c £ C\c r = 1}. Here c r = c,- A r» . 

1=1 

(3) Now Alice decides the value of the bit b that she 
wants to commit. Then she chooses a codeword c from 
(7(m randomly. 

(4) Alice and Bob treat the timeline as a series of 
discrete time instants t\, t%, t s with equal inter- 
vals. Alice encodes each bit of c as q — > \*£ Ci ) = 
(\di) + (— l) Ci |6j))/v2 and sends them to Bob. The time 
t(i) for sending each |^ Ci ) is randomly chosen among t\, 
t2, t s , while all t(i)'s (i = 1, 2, n) should be chosen 
in the sequence of i, i.e., there should be < t(ip ) for 
any i\ < 12. Also, just as the QKD scheme in [9J|, the 
two wave packets and \bi) of the same qubit \^ Ci ) 
are not sent simultaneously. When we say that |^ Ci ) is 
sent at time t(i), we mean that \a,i) is sent at time t(i), 
while \bi) is delayed and then leaves Alice's site at time 
t(i) + t. The delay time r is fixed for all l^c^'s and 
known to Bob. 



(5) At each of the time instants t\, t%, t s , Bob 
chooses the intercept mode with probability a and the 
bypass mode with probability 1 — a. 

If he chooses to apply the intercept mode at time 
tj (j £ {1, 2, s}), he prepares a qubit in the state 

l^o) = (\ a j) + |frj))/v / 2, sends the wave packet \aj) to 
Alice at time tj, while \bj) is temporarily delayed. Mean- 
while, Bob adds a delay circuit to the quantum commu- 
nication channel A (where the wave packets |aj)'s come 
from Alice). At time tj + r, he combines the output of 
this delay circuit with the quantum communication chan- 
nel B (where the wave packets |&j)'s come from Alice), 
and measures whether Alice has sent him |\&o), or 
nothing at all. If the result of the measurement is |^o) 
(l^i)), he leaves his delayed \bj) unchanged (he intro- 
duces a phase shift to change \bj) into — \bj)) and sends 
it to Alice. In this case, Bob learned the state Alice sent 
at time tj while Alice cannot detect this action with cer- 
tainty. But if Bob found nothing in his measurement, he 
measures (or simply discards) \bj). In this case, Alice's 
detectors will click with probability 1/2 due to the pres- 
ence of \a,j), revealing that Bob is running the intercept 
mode. 

On the other hand, if Bob chooses to apply the bypass 
mode at time tj , he simply keeps channel A intact at time 
tj, and channel B intact at time tj + r. Consequently, if 
a state was sent from Alice at time tj , it will be returned 
to her detectors as-is at time tj + r. 

(6) Alice uses the same apparatus that Bob used in the 
intercept mode, to measure the output of the quantum 
communication channels from Bob. She counts the total 
number of the states she received from Bob, and denotes 
it as n . By analyzing step (5) it can be shown that n ~ 
a(s — n)/2 + n. Thus Alice can estimate the probability of 
Bob choosing the intercept mode as a ~ 2(n'—n) / (s—n). 
Alice agrees to continue with the protocol if a < 1 — d/n, 
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which means that the number of Cj's known to Bob is 
an < n — d. 

(7) Alice announces all the time instants t(i)'s at which 
she sent l^cj's (i — l,2,...,n). Bob checks that he in- 
deed detected some states at each t(i) + t and no detec- 
tion was found at other times, as long as he has chosen 
the intercept mode at the corresponding time instants. 
This completes the commit phase. 

The unveil protocol: 

(8) Alice announces the values of b and c = (ciC2-..c n ). 

(9) Bob accepts the commitment if c r = b and c is 
indeed a codeword from C , and every c$ agrees with the 
state |^ Ci ) he received in the intercept mode. 

The diagram for implementing this protocol using the 
Mach-Zehnder interferometer is shown in FIG. 2. 

Intuitively, the protocol can achieve the goal of QBC 
for the following reasons. The binary linear (n, k, en- 
code C can simply be viewed as a set of classical n-bit 
strings. Each string is called a codeword. This set of 
strings has two features. (A) Among all the 2™ possi- 
ble choices of n-bit strings, only a particular set of the 
size ~ 2 k is selected to form this set. (B) The distance 
(i.e., the number of different bits) between any two code- 
words in this set is not less than d. Feature (A) puts 
a limit on Alice's freedom on choosing the initial state 
|* c ) = |* Cl ) ® |* C2 ) ® ... ® |*cn). Meanwhile, feature 
(B) guarantees that if Alice wants to change the string 
c from one codeword into another, she needs to change 
at least d qubits of |^ c }- But the intercept mode in the 
protocol enables Bob to learn about an bits of the string 
c, while Alice does not know all the positions of these 
bits in c with certainty. Therefore, when Alice alters the 
codeword corresponding to l^c), the probability for her 
to escape the detection will be only at the order of mag- 
nitude of (1 - a) d . By increasing d, the security of the 
protocol against Alice's cheating will be strengthened. 
On the other hand, feature (A) also guarantees that the 
number of different codewords having less than n — d bits 
in common increases exponentially with k. That is, as 
Bob knows only an < n — d bits of c, the potential choices 
for c are too much for him to determine whether c be- 
longs to the subset Cm) or C(i) ■ Thus his knowledge on 
the committed bit b before the unveil phase can be made 
arbitrarily close to zero by increasing k. Fixing k/n and 
d/n while increasing n will then result in a protocol se- 
cure against both parties. 

Note that when n — ¥ oo with k/n, d/n, and a fixed, 
the probabilities for Alice and Bob to cheat successfully 
in our protocol will both drop arbitrarily close to 0, but 
they never strictly equal to 0. As defined in 0, HH, if 
a protocol can make the probability of successful cheat- 
ing strictly equal to 0, then it is considered as "perfectly 
secure". On the other hand, when speaking of "uncon- 
ditionally secure" , it generally implies that the protocol 
should meet two requirements simultaneously. (I) Theo- 
retically, the security of the protocol must be based di- 
rectly on fundamental laws of physics (e.g., the validity of 



the postulates of quantum mechanics or relativity) alone 
rather than computational assumptions. (II) Quantita- 
tively, the probability of successful cheating does not 
equal to 0, but can be made arbitrarily close to by 
increasing some security parameters of the protocol. To 
emphasize the second meaning, some people use the term 
"information-theoretically secure" interchangeably with 
"unconditionally secure" (46[. So we can see that our 
protocol falls into this category. This is already the best 
we could expect from quantum cryptography so far. For 
example, the BCJL93 QBC protocol [4| tried to reduce 
the probability of successful cheating down to exactly the 
same level (i.e., arbitrarily close but not equal to 0), but 
proven failure by [f| . Ref . [38[ also showed that perfectly 
secure QBC is impossible. The protocols proposed in it 
is even less secure, as at least one of the probabilities of 
Alice's and Bob's successful cheating can never be made 
arbitrarily close to 0. In fact, even the well-known BB84 
QKD protocol Q is not perfectly secure. This is because 
the eavesdropper Eve can always perform the most basic 
intercept-resend attack. That is, she intercepts any quan- 
tum state from the sender, measure it in a basis which 
she chooses simply by guess, then resends the resultant 
state to the receiver. While she stands a great chance to 
be detected whenever her guess is wrong, we can never 
neglect the probability that she can be so lucky that she 
guesses all the bases correctly. Even though this prob- 
ability is extremely small, and drops arbitrarily close to 
with the increase of the number of states used in the 
protocol, still it never strictly equal to 0. Nevertheless, 
QKD is still considered as the most secure communica- 
tion method of today. Thus we see that an uncondition- 
ally secure protocol is already good enough. 

Under practical settings, some steps of our protocol 
may need minor modifications. For example, the proto- 
col can be made fault-tolerant as long as d/n is chosen to 
be much larger than the transmission error rate e of the 
quantum channels. This is because the distance between 
any two codewords is not less than d. Even if a dishonest 
Alice replaces the channels with noiseless ones so that she 
can alter up to en bits of the string c while blaming it 
on the transmission error, it is still insufficient to change 
a codeword into another one so that her committed bit 
b will not be altered. For this reason, in step (9) Bob 
can in fact allow the mismatched results between Alice's 
announced Cj and Bob's received \^ Ci ) occur with a prob- 
ability not greater than e, thus makes the protocol fully 
functional with noisy channels. Also, in real settings the 
physical systems implementing the qubits may have other 
degrees of freedom, which leave rooms for some technical 
cheating strategies. For instance, Alice may send photons 
with certain polarization or frequency, so that she can 
distinguish them from the photons Bob sends in the in- 
tercept mode. In this case, Bob and Alice should discuss 
at the beginning of the protocol, to limit these degrees of 
freedom to a single mode. In step (5) when Bob chooses 
the intercept mode, he should also measure occasionally 
these degrees of freedom of some of Alice's photons, in- 




FIG. 2: Diagram for the apparatus of the QBC protocol when Bob chooses the intercept mode. At time tj, he delays anything 
coming from channel A, produces l^o) = + \b))/y/2 using the source So, and sends the wave packet \a) to Alice while 
delaying |6). At time tj + r, he measures the state from Alice. If the detector Do clicks, he sends the delayed wave packet |6) 
to Alice directly. Else if the detector D\ clicks, he changes |6) to — \b) using the phase shifter PS before sending. If none of Do 
and Di clicks, he discards |6). On the other hand, if Bob chooses the bypass mode at time tj, he simply removes any device in 
his box and let channel A (channel B) pass through to Alice intact at time tj (at time tj + r). 



stead of performing the measurement in the original step 
(5). Then if Alice wants to send distinguishable photons 
with a high probability so that they are sufficient for her 
cheating, she will inevitably be detected. Another exam- 
ple is given in the appendix showing how to deal with 
the counterfactual attack. 



IV. SECURITY 

Since the number of potential cheating strategies could 
be infinite, in this work we do not attempt to prove that 
our protocol is unconditionally secure against any strat- 
egy. What will be shown here is that our protocol is 
at least not covered by the cheating strategy used in 
the MLC no-go theorem that makes all previous QBC 
schemes insecure. 

Briefly, the MLC no-go theorem and all its variations 
5 8], [31j]- have the following common features. 

(i) The reduced model. According to the no-go proofs, 
any QBC protocol can be reduced to the following model. 
Alice and Bob together own a quantum state in a given 
Hilbert space. Each of them performs unitary transfor- 
mations on the state in turns. All measurements are 
performed at the very end. 

(ii) The coding method. The quantum state corre- 
sponding to the committed bit b has the form 



,0) 



(6)\ 



(2) 



} is an orthogonal basis of system 



/,• ) 's are not necessarily orthogonal to each 
3 IB 



respectively, { 

A while 
other. 

(iii) The concealing condition. To ensure that Bob's 
information on the committed bit is trivial before the un- 
veil phase, any QBC protocol secure against Bob should 
satisfy 



P?, 



(3) 



where = Tta \ipb) (ipb\ is the reduced density matrix of 
the state sent to Bob corresponding to Alice's committed 
bit b. Note that in some presentation of the no-go proofs 
(e.g. (H, IH, this feature was expressed using 

the trace distance or the fidelity instead of the reduced 
density matrices, while the meaning remains the same. 

(iv) The cheating strategy. As long as Eq. §5§ is satis- 
fied, there exists a local unitary transformation for Alice 
to map J t/'q) into successfully with a high probabil- 
ity [l 00( | - Thus a dishonest Alice can unveil the state 
as either \ipo) or \ip{) at her will with a high probability 
to escape Bob's detection. For this reason, a concealing 
QBC protocol cannot be binding. 

The key that makes our protocol evade the no-go 
proofs is that it does not have the feature (iii). As 
shown in Eq. ([1}, every bit value Cj in our proto- 
col are encoded with orthogonal states. Therefore the 



state hF r 



l^c) correspond- 



Here the systems A and B are owned by Alice and Bob 



ing to a codeword c is orthogonal to any other state 
|* c /) = |*<j}® l*^)® — ® |* c ;) corresponding to a dif- 
ferent codeword c'. Consequently, the two Hilbert spaces 
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supported by the states corresponding to the codeword 
subsets C( ) and Cm respectively are completely orthog- 
onal to each other. Therefore it is obvious that our pro- 
tocol satisfies pjf _L pf instead of Eq. Then Al- 
ice's cheating strategy (iv) will no longer apply because 
the corresponding unitary transformation does not ex- 
ist without Eq. ([3]). Since all existin g no -go proofs of 
unconditionally secure QBC [5|-|8|, [3l|-|52| have the fea- 
ture p§ ~ pf , we can see that they all fail to cover our 
protocol. 

Let us elaborate in more details. The existence of Al- 
ice's cheating strategy in the no-go proofs is backe d by 
the Hughston-Jozsa-Wootters (HJW) theorem [l00| | bas- 
ing on Schmidt decomposition. Following the manner of 
[3l|, it can be expressed in simple words as: 

The HJW theorem: Let fi, fi, f m and f[, fy, 
f' n he two sets of possible quantum states with associated 
probabilities described by an identical density matrix p. 
It is possible to construct a composite system A® B such 
that B alone has density matrix p and such that there 
exists a pair of measurements M , M' with the property 
that applying M (resp. M' ) to A yields an index j of 
state fj (resp. fj) to which B will have collapsed. 

Now consider a QBC protocol which requires Alice to 
encode the committed b in the state 



1^6=0 



|^6=l) 



(0)\ 

' 1 1 



3 



(1) 



(4) 



(5) 



respectively, where the meaning of the notations are the 
same as that of Eq. ^ . When the concealing condition 
Po ~ pf is satisfied, according to the HJW theorem there 
exists another basis { | e j ) ^ } °f system A with which we 
can rewrite Eq. (jj) as 



lift 



(i) 



Comparing with Eq. ([5]), we can see that \tpb=o) differs 
from \ipb=i) only by a local unitary transformation XJ a of 

Alice which maps lie') .} into { e!; ) }. That is, with 

this transformation, Alice can alter the commitment in 
the unveil phase by herself. The actual cheating proce- 
dure is as follows. Alice always uses |V'6=o) to execute 
the commit protocol regardless the value of b. Later, 
if she wants to unveil b = 0, she simply measures sys- 



tem A in the basis { 



(0)\ 



,(°)\ 
'i I a 



} to collapse system B into 



(where j is determined by the quan- 



a certain j- > 
J IB 

turn uncertainty in the measurement). Else if she wants 
to unveil 6=1, she rotates her basis to {|ej)^} so that 
the corresponding measurement can collapse system B 

to a certain 



system A to Bob for verification, all she needs to do is 
to further apply the local unitary transformation U a on 

system A to rotate \e'j) A into ej 1 ^ . Thus she can al- 
ways unveil 6 = successfully with the probability 100%, 
while unveiling 6 = 1 can also be successful with a very 
high probability (which can reach 100% when p^ equals 
to pf exactly). Namely, Alice can cheat because there 
are two different bases for system A, both of which can 
lead to a legitimate outcome in the unveil phase. 

But in our QBC protocol, as the state \^> c ) sent to Bob 
satisfies Pq _L pf , \ipb=o) can n ° longer be expressed as 
the superposition of the components of \ipb=i) like Eq. 
([5]). Consequently, even if Alice introduces an ancillary 
system A entangled with many different |^ c )'s in the 
form of Eq. there will be no alternative basis for 

Alice to alter her commitment. Instead, unveiling 6 = 
and 6=1 will be performed in the same basis. This 
can be seen from the following analysis. Let H denote 
the Hilbert space of the composite system A <g> B sup- 
ported by all possible committed states. Let Hq (Hi) be 
its subspace supported by all the states encoding 6 = 



(6 = 1), with { 



(0) 



} ({ 



(1) 



}) denoting one 



of its basis. The condition pE _L pf indicates that Hq 



and Hi have no overlap at all. Therefore { 



(o)\ 
9j ) 



} 



and { 



(i) 



} share no state in common. Any Al- 



ice's local unitary transformation U a on system A can 
be extended as U = U a ® Ib, which becomes a uni- 
tary transformation on the composite system A ® B. 
Here Is is the identity operator on system B. Obvi- 

(o) \ 

9 * A 



ously any U in this form cannot map { 

}. Thus Alice's actions for unveiling 6 



} into 
and 



A0B 



{ 

6=1, respectively, are not related with each other by a 
local unitary transformation of her own. Instead, the set 



{ 



(o) 

9 3 



A®B 



si" 



A®B 



.} = { 



(0) 
9 3 



A®B 



,}u{ 



} 



(6) forms a single complete orthogonal basis of the global 



space H = Ho © Hi, as either of { 



.(0) 



} and 



{ / } alone is incomplete. Therefore, when writ- 

3 I A®B 

ing out the Schmidt decomposition of the committed 



state in forms of Eqs 
and 



gl) and 



the states 



(o)\ 
/ 1 



/,. ) belong to the same basis, instead of two 
J IB 

different bases nonorthogonal to each other. As a result, 
comparing with the description of the HJW theorem, now 
f[°\ / 2 (0) , /i 0) and / 2 (1) , together form a 

single set of orthogonal quantum states with associated 
probability described by a density matrix p. When con- 
structing a composite system A ® B such that B alone 
has density matrix p, the "two" measurements M, M' 
(with the property that applying M (resp. M') to A 



yields an index j of state /j -* (resp. fj 1 ') to which B 
3 / b' ^ ven s ^ e ^ s re< l u i re d to transfer w jn have collapsed) now both become incomplete mea- 



K 1 ) 
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surements on system A. Together they form one single 



I. 



} and { 



} in 



complete measurement set. { 

Eqs. (jlj) and (0 now both belong to the same single 
orthogonal basis of system A corresponding to this com- 
plete measurement. No matter what value Alice wants to 
unveil, her action is always to perform the measurement 
in this basis. Which one of the unveiled values will finally 
be obtained is determined by the form of the state Alice 
prepared in the commit phase, and the quantum uncer- 
tainty in the unveil measurement (if Alice has prepared 
the state in the form of Eq. §7§, which we will discuss 
in more details in the next section). Either way, it is 
not determined by Alice's different actions in the unveil 
phase, as there does not exist a second legitimate action 
at all. If Alice insists to measure in a different basis other 



than { 



}U{ 



}, it will not lead to any spe- 



cific legitimate unveiled outcome with certainty, because 
it will collapse the state of each qubit she sent to Bob 
into |*) = cos 6* | a) + sin6> \b) (where 9 ^ kix ± tt/4, k is 
an integer) or similar forms, instead of Eq. (TTJ). Thus 
it will only increase the probability for her cheating to 
be detected. Therefore we see that the feature p$ ± pf 
eliminates the existence of a second legitimate measure- 
ment basis, making Alice's cheating strategy described in 
the previous paragraph futile in our protocol. 

In fact, similar characters can also be found in a bit 
commitment protocol proposed by Kent (53j , which bases 
its security on relativity instead of quantum mechanics. 
As pointed out in the 3rd paragraph of the introduction 
of [43|, "Kent's relativistic bit commitment protocol does 
not rely on the existence of alternative decompositions of 
a density operator, and so its security is not challenged 
by the Mayers-Lo-Chau result." As our protocol uses or- 
thogonal states to encode the committed bit, it does not 
rely on alternative decompositions either. Thus it can 
evade the MLC theorem for the same reason. 

On the other hand, our protocol is still concealing 
against Bob despite that pff _L pf . The MLC theo- 
rem suggests that protocols satisfying this condition can- 
not be secure, because Bob can always perform a mea- 
surement which optimally distinguishes Pq and pf , thus 
learns the value of b without Alice's help. But in our 
protocol, even though p® and pf arc distinguishable the- 
oretically as the states are orthogonal, Bob is unable to 
perform the corresponding measurement before the un- 
veil phase while escaping Alice's detection. This is be- 
cause the protocol puts a limit on the number of qubits 
that he is allowed to measure, as he is required to ap- 
ply the intercept mode with probability a < 1 — d/n 
only. So the key question is whether a dishonest Bob can 
make his intercept mode indistinguishable with the by- 
pass mode to Alice with a probability higher than it was 
evaluated in step (5) of our protocol. This is prevented 
by two important features of the QKD scheme [§4| on 
which our QBC protocol is based. First, the use of the 
storage rings makes the two wave packets of each sin- 
gle qubit of Alice never presented simultaneously in the 



quantum channels. This prevents Bob from knowing the 
arrival of Alice's qubit in time by measuring channel A 
alone, as it will disturb the state of the qubit and make 
the intercept mode lose its advantage of distinguishing 
Alice's state. Secondly, Alice's sending time is random 
and kept secret until step (7). Therefore in step (5) Bob 
has to decide himself whether to send | ^q) into the quan- 
tum channels to Alice, before he can be sure whether he 
will detect a qubit in the quantum channels from Alice. 
He cannot avoid the case where he sent |^o) to Alice, 
while finds out later that Alice has not sent him a qubit 
at the corresponding time instant. Then his interception 
will be revealed once Alice detects |^o), just as expected 
in the protocol. Thus a dishonest Bob intercepting more 
qubits than allowed will inevitably introduce a very high 
estimated value of a in step (6), so that the cheating will 
be revealed. 

More generally, if there exists a strategy enabling Bob 
to intercept most of Alice's qubit without being detected, 
then in the QKD scheme [9J], an eavesdropper will be 
able to apply the same strategy to gain a non-trivial 
amount of information of the secret key while escaping 
the detection too. But there were already many studies 
on the scheme in 1941 proving tha t it is indeed uncon- 
ditionally secure (91 M ll0lHl03j . Therefore all these 



proofs can be regarded as further supports on the secu- 
rity of our protocol. 

In short, the use of orthogonal states make our protocol 
evade Alice's cheating strategy suggested by the no-go 
proofs, while the security against Bob is provided by the 
security of the QKD scheme on which our QBC protocol 
is based. 



V. LIMITATIONS AND APPLICATIONS 

Nevertheless, our protocol has the limitation that it 
cannot force Alice to commit to a classical bit. Alice can 
skip step (3). Then in step (4), instead of choosing a 
particular codeword c and preparing the system B to be 



sent to Bob in the state \^! r ) = |W r 



she introduces an ancillary system A and prepares the 
state of the incremented system A <g> B in an entangled 
form as 



\A(g>B) = X c \e c ) <g> |* c ) 



cec 



= A c |e c ) (g) |* c ) + A C |e c )®|* c ). 

cgC (0) cGC(i) 

(7) 

Here {|e c )} is a set of orthogonal states that forms a basis 
of system A. Alice keeps system A at her side unmea- 
sured, and sends system B to Bob to complete the rest of 
the commit protocol. By the time she needs to unveil the 
committed 6, she completes the measurement on system 
A and knows which |^ c ) system B collapsed to. With 
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this method, she can learn what can be announced as the 
value of the codeword c (and therefore b) without con- 
flicting with Bob's measurement. As a consequence, her 
commitment was kept at the quantum level until the un- 
veil phase. But we must note that this problem, accord- 
ing to Sec. Ill of [99j], "is not considered a security failure 
of a quantum BC protocol per se" . This is because, as 
we shown above, our protocol has the feature Pq _L pf , 
i.e., all l^c)^ corresponding to the codewords c £ C( ) 
are orthogonal to these corresponding to c 6 C(i)- Thus 
the probability for the state Eq. ([7]) to be unveiled as 
6 = successfully is 



Po= i A 

C 6C(0) 



2 

c| ! 



(8) 



while the probability for it to be unveiled as b = 1 is 

pi= E i^i 2 - ( 9 ) 

cec (1) 

The normalization condition for Eq. ([7]) gives 

Po+Pi = l- (10) 

Therefore, despite that our protocol cannot force Alice to 
commit to a particular classical value of b, she is forced 
to commit to a probability distribution (po,pi) once she 
prepared the state of A<8>B in step (4). She can no longer 
change the value of either po or p\ later. The final value 
of the unveiled b is completely out of her control. Instead, 
it is determined by the quantum uncertainty in her final 
measurement on the system A. As stated clearly in [99j j . 
when Eq. (fit))) is satisfied, the protocol already meets the 
requirement of what is defined as unconditionally secure 
QBC. Note that the relativistic bit commitment proto- 
col [53jj is well-accepted as being unconditionally secure, 
even though it has exactly the same problem. Most pre- 
vious QBC protocols are considered insecure because the 
corresponding po +pi is larger and cannot be made arbi- 
trarily close to 1. In fact in some of these protocols (e.g., 
@;3)j Po + Pi even reaches or is arbitrarily close to 2. 
On the other hand, if a protocol can force Alice to com- 
mit to a particular classical b, i.e., besides po + Pi = 1, 
both po and p\ can only take the values or 1 instead of 
any value in between, then it is called a bit commitment 
with a certificate of classicality (BCCC) [99|. Namely, 
our protocol is a QBC but not a BCCC. 

The difference between QBC and BCCC makes it im- 
portant to re-examine the relationship between BC and 
other cryptographic tasks at the quantum level. Fo r ex- 
ample, though BC and oblivious transfer (OT) 0, Il04j | 
are equivalent at the classical level, our QBC protocol 
may not l ead to unconditionally secure quantum OT 
(QOT) 1, 105], at least, not in the traditional way de- 
scribed in these references. Note that ther e are many 
variations of OT 0, e.g^ l-out-of-2 OT [l05L [l06j. Here 
we use the original one (ll. Iioij ] (also called all-or-nothing 
OT) as an example. It is defined as the following process. 



Alice wants to transfer a secret bit b £ {0, 1} to Bob. At 
the end of the protocol, either Bob could learn the value 
of b with the reliability (which means the probability for 
Bob's output b to be equal to Alice's input) 100%, or he 
has zero knowledge on b. Each case should occur with 
the probability 1/2, and which one finally happens is out 
of their control. Meanwhile, Alice should learn nothing 
about which case takes place. According to Sec. 2 of |l), 
QOT can be built upon BC as follows. 

The QOT protocol: 

(I) Let |0, 0) and |0, 1) be two orthogonal states of a 
qubit, and define |1,0) = (|0,0) + |0,l))/\/2, [1, 1) = 
(|0, 0) — 1 0, 1) ) / \/2 • That is , the state of a qubit is denoted 
as |<Zi,<?i), where dj represents the basis and <?.; distin- 
guishes the two states in the same basis. For i = 1, n, 
Alice randomly picks cij, gi £ {0, 1} and sends Bob a qubit 
fa in the state \a,i,gi). 

(II) For i — l,...,n, Bob randomly picks a basis bi £ 
{0,1} to measure fa and records the result as |6,,/ij). 
Then he commits (bi, hi) to Alice using the BC protocol. 

(III) Alice randomly picks a subset R C {1, n} and 
tests Bob's commitment at positions in R. If any i £ R 
reveals = bi and <?; 7^ hi, then Alice stops the protocol; 
otherwise, the test result is accepted. 

(IV) Alice announces the bases a« (i = 1, n). Let T 
be the set of all 1 < i < n with a, = bi, and T\ be the set 
of all 1 < i < n with ^ bi. Bob chooses Iq C To — R, 
hCTt-R with |7 | = |Ji| = 0.24n, and sends {I ,h} 
in random order to Alice. 

(V) Alice picks a random s £ {0, 1}, and sends s, /3 S — 
b (B g% to Bob. Bob computes b = j3 s ® hi if I s C To; 

ieis i&Is 
otherwise does nothing. 

If QBC instead of BCCC is used as the BC protocol 
in step (II), Bob can make use of its limi tation to en- 
able a so-called honest-but-curious attack 107l4ll0j |. as 
shown below. For each (i — l,...,n), Bob does not 
pick a classical bi and measure it in step (II). Instead, 
he introduces two ancillary qubit systems Bi and Hi as 
the storages for the bits bi and hi, and prepares their 
initial states as \B t ) = (\Q) B + \1) B )/V2 and \H % ) = \Q) H 
respectively. Here |0) and |1) are orthogonal. Then he 
applies the unitary transformation 



XJ X = |0> B (0|®|0,0W0,0| 



|o) B <o|® |o,i)^(o, i|®a£> 

1,0)^(1,0|® I H 



|i) B (i 



|1>s(1| 



IMMMI 



r (s) 



(11) 



on the incremented system Bi 



j ® Hi. Here Ir and 
a y ^ are the identity operator and Pauli matrix of system 

Hi that satisfy Ih |0) h = \Q) H and \§) H = |1)#, re- 
spectively. The effect of U± is like running a quantum 
computer program that if \Bi) = \0) B (\Bi) — \1) B ) then 
measures qubit fa in the basis bi = (bi = 1), and stores 
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the result hi in system Hi. It is different from a classical 
program with the same function as no destructive mea- 
surement is really performed, since Ui is not a projective 
operator. Consequently, the bits bi and hi are kept at 
the quantum level instead of being collapsed to classical 
values. 

Bob then commits (hi, hi) to Alice at the quantum 
level. This can always be done in a QBC protocol which 
does not satisfy the definition of BCCC. For example, to 
commit bi in our QBC protocol, Bob further introduces 
two ancillary systems E and \t and prepares the initial 
state as 



\E®V) 



N 



E 

ceC(o) 



(12) 



where N is the normalization constant. Let Ue®-® be a 
unitary transformation on E ® ^ which can map each 
|e c ) ® |* c ) (c G (7(0)) into a |e c ) ® |* c ) (c G C (1) ), i.e., 
it satisfies U E ®m \E ® *) = iV £ |e c ) <g) |* c ). Bob 

cec (1) 

applies the unitary transformation 



U-2 



®Ie99 + \1)b(1\®Ub 9 9 (13) 



on the incremented system Bi^E®^, where Ie®^/ is the 
identity operator of system E ® ^. As a result, we can 
see that the final state of Bi^^i^Hi^E®^ will be very 
similar to Eq. (J7J if we view Bi®<fii®Hi®E as system A 
Then Bob can follow the process after Eq. (J7} (note that 
now Bob becomes the sender of the commitment while 
Alice becomes the receiver) to complete the commitment 
of bi without collapsing it to a classical value. He can do 
the same to hi. 

Back to step (III) of the QOT protocol. Whenever 
(bi, hi) (i £ R) are picked to test the commitment, Bob 
simply unveils them honestly. Since these (bi,hi) will no 
longer be useful in the remaining steps of the protocol, it 
does not hurt Bob's cheating. Note that the rest (bi,hi) 
(i ^ R) are still kept at the quantum level. After Alice 
announced all bases <Zj (i = 1, n) in step (IV), Bob 
introduces a single global control qubit S' for all i, ini- 
tialized in the state \s') = (\0) s , + \1) S ,)/V2, and yet 
another ancillary system Lj for each i G Tq U T\ — R 
initialized in the state \Ti) = |0) r . Then he applies the 
unitary transformation 



U 3 = \0) s ,(0\®\ai) B (a t \(g)I r 

+ \Q) S , (0| ® \->Oi) B (-nai\ ® (r r ) 

+ \l)g, (1\ ® \di) B {Cti\ ®4 X) 

+ \l) s , (1| ® hai) B (-.Oil ® J r 



(14) 



(*) 



on the incremented system 5" £g) Bi <g> I\ . Here Jr and cr r 
are the identity operator and Pauli matrix of system Tj 
that satisfies Jr |0) r = |0) r and |0) r = |l) r , respec- 
tively. The effect of U3 is to compare aj with bi and store 
the result (a^ 7^ 6,) ® s' in IV Bob then measures all I\ 



(t G T U Ti - i?) in the basis {|0) r , |l) r }, takes T (Ti) 
as the set of all 1 < i < n with |r,) = |0) r (|r,-) = |l) r ) 
instead of how they are defined in step (IV) , and finishes 
the rest parts of the QOT protocol. 

With this method, the division of Iq , Ji are kept at the 
quantum level. Let I = (1^) denote the set corresponding 
to dj = bi (di 7^ bi). We can see that C/ 3 makes I = I—, 
Ii = 7^ when s' = 0, while Iq = fy, I\ = 1= when s' = 1. 
Since S' was initialized as \s') = (\0) s , + \ l) s ,)/y/2, the 
actual result of step (IV) can be described by 



S' ®((g)B i ®ct>i®H i ®El)\ 

= (|0) s , ® |/ = /= V Jx = / # ) 
+ |l) g , ® |7 = 7 # V 7i = 7=))/^, (15) 



where E[ stands for all the ancillary systems Bob intro- 
duced in the process of committing (bi, hi). Suppose that 
Bob announces {7o,7i} in their original order to Alice, 
i.e., he never announces them in the order {Ii, Iq}. After 
Alice announced s and /3 S in step (V) , the systems under 
Bob's possession can be viewed as 



\S) S , ® |7 S = I = 



„ ® \fail))/V2. (16) 



It means that if Bob measures system S' in the basis 
{|0) s , , |1) S /} and the result \s') s , satisfies s' = s, then 
he is able to measure the rest systems and decode the 
secret bit b unambiguously; else, if the result satisfies 
s' 7^ s, then he knows that he fails to decode b. Now 
the most tricky part is, as the value of s' was kept at 
the quantum level before system S' is measured, that at 
this stage a dishonest Bob can choose not to measure >S" 
in the basis {|0) s , , |l) s ,}. Instead, by denoting \b) = 
\s) s , ® |7 S = 7 = ), and |?) = \->s) s , ® \fail), Eq. JTBJ) be- 
comes |$ 6 ) = (|6> + \?))/y/2 where \b = 0) = ( 1 ) T , 
\b = 1) = ( 1 ) T , and |?) = ( 1 ) T are mutually 
orthogonal. Then according to Eq. (33) of 107], Bob 
can distinguish them using the positive operator-valued 
measure (POVM) (E ,I - E ), where 



Vs -1 1 + V3 
-1 2-V3 1-V3 
y/3 l-y/3 2 



(17) 



This allows Bob's decoded b to match Alice's actual 
input with reliability (1 + v3/2)/2. On the contrary, 
when Bob executes the QOT protocol honestly, in 1/2 
of the cases he can decode b with reliability 100%; in 
the rest 1/2 cases where he fails to decode b, he can 
guess the value randomly, which results in a reliability of 
50%. Thus the average reliability in the honest case is 
100%/2 + 50%/2 = 75% < (1 + VS/2)/2. Note that in 
the above dishonest strategy, in any case Bob can never 
decode b with reliability 100%. Therefore it is debatable 
whether it can be considered as a successful cheating, as 
the strategy does not even accomplish what an honest 
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Bob can do. That is why it is called /jonesi-but-curious 
behavior [l08l [l09j. The existence of this loophole may 
actually come from the fact that in the literature, there 
is the lack of a self-consistent definition of OT specifically 
made for the quantum case. That is, the goal "reaching 
reliability 100% and 50% with equal probabilities" may 
conflict with "reaching a maximal average reliability 75% 
with probability 100%" by nature, so that it seems unre- 
alistic to require a protocol to satisfy both goals simul- 
taneously. Therefore it is somewhat unfair to consider 
it as a limitation on the power of quantum cryptogra- 
phy itself. Nevertheless, as this honest-but-curious be- 
havior provides Bob with the freedom to choose between 
accomplishing the original goal of QOT and achieving a 
higher average reliability, it may leave rooms for potential 
problems when we want to build even more complicated 
cryptographic protocols upon such a QBC based QOT. 

Despite of this limitation, our QBC protocol can still 
be used to build many other "post-cold-war era" multi- 
party quantum cryptographic protocols. For example, 
since it makes committing a single bit possible, then re- 
peating the protocol many times immedia tely enables 
quantum bit string commitment (QBSC) [ill] . Also, 
building quantum strong coin tossing (QCT, a.k.a. quan- 
tum coin flipping) [3] with an arbitrarily small bias is 
straight forward. Alice and Bob first execute our commit 
protocol. Then Bob announces a random bit x classically. 
Finally, Alice unveils her committed bit b, and the two 
parties accept y = b © x as the coin tossing result. It is 
trivial to show that even if Alice kept b at the quantum 
level until the unveil phase by using the state Eq. (|7J, 
she cannot bias the final y since she cannot change the 
probabilities po, Pi- Note that these results s uggest tha t 
all the existing no- go proofs of QBSC (e.g., |l!2l . Ill3| ) 
and QCT (e.g., |H lll4fil7j ) are incorrect. This is not 
surprising, because all these no-go proofs are also based 
on some conditions similar to Pq ~ pf, or even built di- 
rectly on top of the no-go theorem of QBC, which are all 
inapplicable to our case. 



them carrying out the protocols. Therefore, it is in fact 
no longer a two-party cryptography, as what BC should 
have been. Also, Alice and Bob must be separated from 
their agents by a distance on the relativistic scale, i.e., 
they need to be so far apart that they cannot exchange 
information in time. All these requirements obviously 
limit the application of their protocols. 

In |l 03j j a variation of the QKD scheme in [94[ was pro- 
posed, which replaced the symmetric (equal transmissiv- 
ity and reflectivity) beam splitters BS± and BS2 in our 
FIG. 1 with asymmetric ones. The advantage is that the 
sending time of the qubits no longer needs to be random. 
The same idea may also apply to our protocol to bring 
the same advantage. 

However, it is important to note that the beam split- 
ters can be half-silvered mirrors or similar types, but 
must not be polarizing beam splitters. This is because 
the QKD scheme 94{ we based on will become insecure if 
polarizing beam splitters are used. Let \H) (\V)) denote 
the horizontally (vertically) polarized state that will al- 
ways be transmitted (reflected) by polarizing beam split- 
ters. Eve can simply use the same device of Charlie to 
measure all states come from Alice. Then, depending 
on which one of her detectors clicks, she can send \H) 
(|V)) to Charlie through channel B (in FIG. 1) only, let 
alone channel A. This can make Charlie's detector D\ 
(Do) click with certainty, so that Charlie always receives 
the same result as hers and therefore her cheating can 
be covered. But if half-silvered mirrors or similar types 
of beam splitters are used, when Eve sends a state to 
Charlie through channel B alone, both of Charlie's de- 
tector D\ and Dq will have non-vanishing probabilities 
to click so that Eve cannot control the result with cer- 
tainty. Then the eavesdropping will not be successful, 
just as shown in the security proof in [94j . 



VII. RELATIONSHIP WITH THE CBH 
THEOREM 



VI. FEASIBILITY 

Our protocol is very feasible. The QKD scheme [§4| 
we bas ed on was already experimentally implemented re- 
cently [l02j |. By comparing Figs. 1 and 2 it can clearly be 
seen that our QBC proto col c an be implemented with ex- 
actly the same devices in 102l | . Thus the QBSC and QCT 
protocols built upon our QBC protocol are also straight 
forward with currently available technology. Moreover, 
as mentioned in Sec. 3, the protocol can easily be made 
fault-tolerant against noisy quantum channels. Therefore 
it is extremely practical. 

Comparing with the unconditionall y s ecure BC pro- 
tocols based on relativity [H, H3, l56l. |57|. our protocol 
reaches the same security level, while the implementation 
is more convenient. This is because in all these relativis- 
tic BC, both Alice and Bob must have agents to help 



The above result is also useful for developing the un- 
derstanding on fundamental theories. The CBH theorem 
96] is an attractive attempt to raise some information- 
theoretic constraints to the level of fundamental laws of 
Nature, from which quantum theory can be deduced. 
These constraints were suggested to be three "no-go's", 
which are (I) the impossibility of supcrluminal informa- 
tion transfer, (II) the impossibility of perfectly broad- 
casting of an unknown state, and (III) the impossibility of 
unconditionally secure BC. It was worked out in [96| that 
these three constraints can jointly entail three definitive 
physical characteristics of quantum theory, i.e., kinematic 
independence (a.k.a. microcausality) , noncommutative, 
and nonlocality. Meanwhile, to show that these three 
characteristics and the above three information-theoretic 
constraints are exactly equivalent, it is necessary to prove 
conversely that the three characteristics can entail the 
three constraints. This was only partly accomplished in 
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[96j | . It was demonstrated that the first two character- 
istics can entail constraints (I) and (II). What was left 
undone is the derivation of constraint (III). Note that 
so me p eople believe that the problem was solved later 
by 47 1 . But in fact the no-go proof of QBC in [47| was 



also based on the condition p$ ~ pf , which fails to cover 
our protocol. Thus the derivation of constraint (III) is 
still incomplete. In our understanding, this situation is 
yet another evidence indicating that the MLC no-go the- 
orem of unconditionally secure QBC is not a necessary 
deduction of quantum mechanics. In fact, the reason 
why the MLC theorem was included in the three con- 
straints, simply put, is because it can entail nonlocality. 
As can be seen from features (ii) and (iv) in our above 
brief review of the MLC theorem, Alice can cheat in QBC 
only when she has the capability to manipulate entangled 
states. That is, the MLC theorem can be valid only if 
the physical world allows entanglement, which is a typi- 
cal example of nonlocality. However, our QBC protocol 
also entail nonlocality. According to jlOl| . Eq. ^ can 
be rewritten using the standard notations of quantum 
optics as 



|*o> = Go>|i) + |i>|o»/V2, 

|*0 = (|0>|1>-|1>|0»/V2, 



(18) 



where the first and second kets refer to the two quantum 
communication channels, and the and 1 inside the kets 
refer to the photon number. This indicates that Alice's 
transmitted states in fact contain single-photon nonlocal- 
ity. The resultant QBC can be executed only when Alice 
has the capability to create such nonlocality. Otherwise, 
if Alice merely sends both wave packets of a photon si- 
multaneously into the quantum communication channels, 
i.e., nonlocality is not fully utilized, then Bob can easily 
intercept, clone, and resend all these orthogonal states 
without being detected. That is, our result indicates that 
QBC can be unconditionally secure only if there is non- 
locality in the physical world. This somewhat clarifies 
why most previous proposed QBC protocols (e.g., 0, Hj]) 
are insecure. In these protocols, if Alice wants to commit 
honestly, then sending Bob pure states unentangled with 
any system at Alice's side is already sufficient. Nonlocal- 
ity is not entailed when these protocols are supposed to 
be executed honestly. Thus, it is not surprising that a 
dishonest party who is capable of manipulating entangled 
states can gain more advantages than what is allowed in 
these protocols. On the contrary, in our protocol an Alice 
who only sends unentangled pure states will no longer be 
considered as honest. Nonlocality becomes a must. Thus, 
we can see that no matter the MLC theorem is correct 
or our QBC protocol could indeed be unconditionally se- 
cure, nonlocality is entailed in both cases. Therefore, we 
tends to believe that the (im)possibility of uncondition- 
ally secure QBC is irrelevant to the goal of characterizing 
quantum theory in terms of information-theoretic con- 
straints. To complete the CBH theorem, we may need 
to seek for another information-theoretic principle as the 
third constraint. 



P? 



VIII. SUMMARY 

We show that if a formerly proposed QKD scheme 
based on orthogonal states [94| is secure, it can be used 
to build a QBC protocol which remains concealing while 
the reduced density matrix of the state Bob received 
satisfies _Oq _L pf ■ Thus it evades the MLC no-go theo- 
rem (H-HI], [HI "[13 which is valid for the case p^ 
only. The resultant QBC protocol is not a bit commit- 
ment with a certificate of classicality; thus, it cannot 
lead to unconditionally secure quantum oblivious trans- 
fer in the traditional way. But it can lead to quantum 
bit string commitment and quantum strong coin tossing. 
This finding suggests that a different principle other than 
the MLC no-go theorem is needed for the CBH theorem 
to completely characterize quantum theory in terms of 
information-theoretic constraints. 
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Appendix A: Defeating the counterfactual attack 

Though our protocol is unconditionally secure in prin- 
ciple, as we mentioned at the end of Sec. Ill, under prac- 
tical settings minor modifications may be needed against 
technical attacks. 

Recently a ch eating st rategy against coun terfactual 
QKD protocols [ill, Lllll was proposed [l20j]. Unlike 
general intercept-resend attacks in which measurements 
are performed on the quantum states carrying the se- 
cret information, in this strategy the cheater makes use 
of quantum counterfactual effect to detect the working 
modes of the devices of other partic ipan ts. Thus it was 
named "the counterfactual attack" [l20j |. Here we will 
skip how it applies to QKD protocols, while focus only 
on its impact on our QBC protocol. 

FIG. 3 illustrates the apparatus for the attack 120]. 
The core is a "fictitious" beam splitter (FBS) which has 
the following functions. 

(fl) Any photon hitting the FBS from path c will be 
reflected with certainty. 

(f2) When the paths a and b are adjusted correctly, two 
wave packets coming from paths a and b respectively will 
interfere and combine together, and enter path c with 
certainty. 

(f3) Any photon hitting the FBS from path a will pass 
through the FBS and enter path d with certainty. 

An ideal FBS that can realize these functions faithfully 
does not exist in principle. Thus it is called "fictitious" . 
For example, devices with the functions (f2) and (f3) may 
not accomplish the function (fl) perfectly, i.e., a photon 
coming from path c could pass the devices with a non- 
trivial probability, making the attack detectable. How- 
ever, FBS can be implemented approximately by using 
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FIG. 3: Diagram of the apparatus for Alice's counterfactual attack. A single-photon pulse produced by the source 5* passes 
through the optical circulator Ci and hits the "fictitious" beam splitter (FBS) along path c. Path a is adjusted by the optical 
delay OD, followed by a Faraday mirror FM. Any photon coming from path c from the right to the left will be detected by the 
detector D c , while the detector Dd detects any photon coming from path d. Path 6 is connected to both the input and output 
of Bob's channel A at time tj (or both the input and output of Bob's channel B at time tj + r) via the optical circulator C2. 



an infinite number of ordinary BS [ll9l 1 1 20j | . In practice, 
the number of BS involved in the implementation has to 
be finite. But if the deviation from an ideal FBS is too 
small to be detected within the capability of available 
technology, then the attack could become a real threat. 

Suppose that an ideal FBS is available to a dishonest 
Alice in our QBC protocol. At each time instant tj (or 
tj + t) in step (4), she runs both the FBS system in 
FIG. 3 and the apparatus in the honest protocol (i.e., 
the one shown in FIG. 2) simultaneously in parallel, with 
path b of the FBS system connecting to both the input 
and output of Bob's channel A (or both the input and 
output of Bob's channel B). The apparatus in FIG. 2 
works as usual so that the protocol can be executed as 
if she is honest, while the FBS system serves as a probe 
to detect Bob's mode. According to the function (f2) 
of the FBS, whenever Bob applies the bypass mode in 
step (5), the wave packets of a photon Alice sent to the 
FBS will be returned from both paths a and b so that 
the detector D c will click with certainty. On the other 
hand, whenever Bob applies the intercept mode, an ideal 
FBS can guarantee that D c will never click as path b is 



actually blocked. Therefore Alice can learn Bob's mode 
unambiguously. Since Bob does not know the state \^ Ci ) 
Alice sends when he applies the bypass mode, Alice can 
lie about the value of the corresponding a freely, thus 
alters her committed b in the unveil phase. 

Nevertheless, it is easy to d efeat this counterfactual 
attack. As pointed out in Ref. [l2dj |. Bob's randomizing 
the optical length of path b is sufficient to destroy the 
interference effect in the FBS system. Therefore in our 
protocol, Bob can simply add phase shifters (other than 
the one shown in FIG. 2) to both channels A and B when 
he applies the bypass mode, to introduce the same phase 
shift in both channels so that an honest Alice will not 
be affected. Meanwhile, the amount of this phase shift 
is randomly chosen and kept secret from Alice, thus she 
cannot know how to adjust path a to ensure D c clicking 
with certainty. Consequently, there will be times that 
Alice does not know which mode Bob is running. Then 
the number of Ci's that she can alter will be limited, which 
is insufficient to change the committed b as long as the 
value of d/n in our QBC protocol is properly chosen. 
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